oversight

Insecure Password Reset Process on Agency-owned Information Systems

Published by the Office of Personnel Management, Office of Inspector General on 2012-02-07.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

John Berry                                                                                          2




We recommend that the Office of the Chief Information Officer review the security of the
password reset feature of all OPM systems that contain PII. During this review we also
determined that the password complexity requirements for        are not compliant with OPM
policy, and recommend that the appropriate system modifications be implemented.

Scope and Methodology

We reviewed situation room reports related to the          security breach and the
vulnerability tip. We also independently tested the process for resetting passwords for
       and        to evaluate the risk that a user’s password could be changed by someone other
than the individual owning the account.

Our review was not conducted in accordance with Generally Accepted Government Auditing
Standards (GAGAS). The nature and scope of the work performed was consistent with that
expected of a GAGAS audit; however, because we consider this to be a review, the
documentation, reporting, and quality control standards are not as stringent.

Review Results

Prior to the security breach, a user could reset their   password by entering
                  and
                                                                                            After
the security breach, the password reset feature for    was modified so that users
                                they can no longer conduct the entire transaction directly on the
public-facing website.

An OPM employee can create their own          account at the system’s website by entering t
                           . Passwords for existing accounts can be reset on the website with
the same information. During our review, we also determined that                      are not
enforced by       we were able to create a password
             ). The OPM Information Security and Privacy Policy Handbook states that
information systems must enforce minimum password complexity of at least                    ,
                                                                      .

In order to reset an       password on the system’s website, a user must enter the
                                                            , and
       If a user does not know their           it can also be obtained directly on the website by
entering
Users must
                    . However, like        these
John Berry                                                                                        3
As an additional security feature,
                                               Although this control would alert an authorized
user that their account was breached, it does nothing to prevent an attack from occurring.

We believe that the issues identified in these three OPM systems represent an agency-wide
security vulnerability. Although it is typically more convenient for a user to change their
password directly on a system’s website, this feature increases the risk that an attacker that
knows enough information about a user could gain unauthorized access to the system. This risk
is increased greatly for systems that have a public-facing website, as anyone with an Internet
connection could attempt to hack user accounts. A more secure option is

                                              Once this additional control is implemented, an
attacker would not only need to
                                                                   .

Recommendation 1
We recommend that       be modified to enforce the strict password complexity requirements in
accordance with OPM’s Information Security and Privacy Policy Handbook.

Recommendation 2
We recommend that          be modified to                                       that request to
create new accounts or reset the passwords of existing accounts.

Recommendation 3
We recommend that the Office of the Chief Information Officer conduct a review to identify
other OPM systems that allow users to
               . The systems identified should be modified so that a
                                                                              The
         should also be strengthened so that


cc:    Elizabeth A. Montoya
       Chief of Staff


       Director, Executive Secretariat and Ombudsman

       Matthew E. Perry
       Chief Information Officer


       Director
       Internal Oversight & Compliance
John Berry                                 4



      Deputy Director
      Internal Oversight & Compliance


      Chief, Policy and Internal Control